CERT/CC VU#653116 | CISA Advisory ICSA-26-055-03 | All CVEs | Case Repository
- CVE: CVE-2025-10681
- Gr0m ID: Gr0m-004
- CVSS 3.1: 8.6 (High)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
- CWE: CWE-798 (Hardcoded Credentials)
- Status: UNPATCHED
An Azure Blob Storage account key is hardcoded in both the Gardyn device firmware and mobile application. This account-level credential grants access to all blob containers including OTA firmware updates, device logs, and camera images from approximately 115,000 devices.
- Mobile app Hermes bytecode (
index.android.bundle) - Device firmware (
/usr/local/etc/gardyn/)
Account and container names removed -- Specific Azure resource identifiers have been removed from this public disclosure to reduce attacker enablement.
Three Azure Blob Storage accounts are accessible via the hardcoded key. They serve camera still images, device logs, OTA updates, timelapse videos (constructed from still images), and thumbnail images -- all at account-level (full access) permissions.
Enumeration revealed containers containing home interior camera still images (~115,000 cameras, image-only — no audio), device diagnostic logs (5+ years), timelapse recordings, and firmware update packages. Camera image, log, and OTA update containers have read/write access.
The hardcoded key provides write access to the OTA firmware update container.
- Read access to home interior camera images (~115,000 cameras)
- Read/write access to OTA firmware storage -- enables supply chain attacks
- Access to 5+ years of device diagnostic logs
- Storage cost attacks via arbitrary blob uploads
- Rotate all Azure Storage account keys
- Remove hardcoded credentials from app/firmware
- Implement per-device scoped SAS tokens with minimal permissions
- Set all containers to private access level
- Implement code signing for OTA firmware packages
See CVE-2025-10681.md for the complete CISA-aligned advisory.
Researcher: Michael Groberman — Gr0m Contact: michael@groberman.tech · LinkedIn